A council has been fined £100,000 after it accidentally faxed details of a child sex abuse case to a member of the public, it emerged today.
Red-faced chiefs at Hertfordshire County Council have apologised after admitting a series of embarrassing data protection gaffes.
An investigation by the Information Commissioner found staff from the childcare litigation unit sent two faxes to the wrong recipients.
The first fax about a child sex abuse case was meant for a barristers’ chambers but was sent to an unconnected member of the public instead.
Just 13 days later a different staff member faxed confidential material about a child care case including previous convictions, domestic violence and professionals’ comments, to the wrong barristers’ chambers.
Information commissioner Christopher Graham said he was ”concerned” that the council made two mistakes in June this year.
He said: ”It is difficult to imagine information more sensitive than that relating to a child sex abuse case.
”I am concerned at this breach – not least because the local authority allowed it to happen twice within two weeks.
”These first monetary penalties send a strong message to all organisations handling personal information – get it wrong and you do substantial harm to individuals and the reputation of your business.”
After the first breach occurred, the council did not take sufficient steps to reduce the likelihood of another breach occurring, Mr Graham added.
The council was fined £100,000 for breaching the Data Protection Act.
Councillor Chris White, leader of Hertfordshire’s Liberal Democrat opposition group said: ”This complacent council has done it again. It can’t fix the roads. It can’t get its accounts straight. And it can’t prevent itself from sending confidential papers to the wrong address.
”It’s not as though this were one off incompetence: it happened twice and the council failed to take proper action over the first occasion.
”Residents who bump along over poorly maintained roads while listening to the county council boasting about how wonderful it is in one of the two dozen press releases it issues each day will be asking how the £100,000 fine will be paid for.”
A Hertfordshire County Council spokesman said it has apologised for the errors.
He added: ”We are sorry that these mistakes happened and have put processes in place to try to prevent any recurrence.
”We accept the findings of the commissioner.”
Sheffield-based A4e was fined £60,000 for losing an unencrypted laptop with the details of thousands of people during a similar investigation.
The computer contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.
It was later stolen from the employee’s house and an unsuccessful attempt to access the data was made shortly afterwards.
Personal details recorded on the system included full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence.
Mr Graham said the theft of the laptop was “less shocking” than the council’s security breaches.
A4e said the theft was a ‘one-off’ incident and has apologised and contacted everyone who had details stored on the laptop.
Chief executive Andrew Dutton added: ”We acted very swiftly after the incident in June, including making a voluntary report to the ICO.
”We alerted all customers, partners and relevant authorities affected and continue to update them.
”This incident occurred as a result of a breach of our security procedures. It also came at a time when A4e was rolling out a new, robust, company-wide set of security controls and procedures.
”Our priority has always been, and remains, our customers and partners. We have apologised for any distress caused to those involved in this one-off incident in Hull and Leicester and we do so again.”
